back to article Londoner who tried to blackmail Apple with 300m+ iCloud account resets was reusing stale old creds

A 22-year-old Londoner has been given 300 hours of community service and a State-enforced bedtime after trying to blackmail Apple with hundreds of millions of previously compromised login credentials. Kerem Albayrak, 22, demanded Apple give him $75,000 in crypto-currency or a thousand $100 iTunes gift cards. If the maker of …

  1. bpfh Silver badge
    Flame

    Stale old creds...

    But some of them still worked apparently. I hope Apple has some mass restore functions available to anyone who may have had their accounts squashed if he did carry out his threat. I guess saying not to reuse passwords is preaching to the choir here, but it’s still an uphill battle for the great unwashed...

    1. Blackjack

      Re: Stale old creds...

      Forcing a user to reset the password is quite easy. Just force them to prove is them when they log in and then force them to register a new password.

      Companies just don't like to do that because they hate admitting data leaks.

      1. Alumoi
        Facepalm

        Re: Stale old creds...

        Capital idea, old chap. Let's force all people to register with the government if they want to use the internet and present to each and every site the credentials issued. Make it a capital crime using any form of hiding your real identity on the internet.

        Oh, wait. It won't work if we don't force the people to use only government issued computers/phones/tablets loaded with approved software which can't be removed.

        There, much better. Now we won't have to worry about identity theft and data breaches.

      2. Martin M

        Re: Stale old creds...

        You say just “force the user to prove it’s them”, which is a spectacularly circular argument. The definition of authentication is asking the user to prove who they are - and if you had a better method of doing so than the password, you wouldn’t need the password. It also ignores the possibility that accounts may be pseudonymous, and therefore have no corresponding real world identity at all.

        Finally, it’s unclear from the article whether Apple knew which accounts were potentially affected. Forcing a password reset on the entire user population would have been disproportionate, particularly as it turns out that most of the credentials were stale and there had in fact *been no data breach” (from Apple).

    2. katrinab Silver badge

      Re: Stale old creds...

      iCloud has had two factor authentication for a while now. It may be possible to disable it, I haven't explored this, but also I haven't noticed any obvious way to do it, so I doubt that many people have done it.

      1. Blackjack

        Re: Stale old creds...

        If one of those two parts is cellphone text messages then it is unsafe as hell.

        1. Anonymous Coward
          Anonymous Coward

          Re: Stale old creds...

          “ If one of those two parts is cellphone text messages then it is unsafe as hell.”

          Please stop repeating that old trope without understanding where it comes from. As always, it depends wholly on your threat model. Who exactly do you believe is both capable of, and willing to perform 300 million SIM swaps? Answers on a postcard...

          SMS MFA is better than no MFA. Ofc that’s a relative assessment. Is it good enough? That’s a different question and depends on your particular threat model. For my cloud account? Sure. For a celebrity, investigative journalist, union leader etc? Quite probably not.

          Repeating “SMS MFA is insecure” is actively unhelpful and wrong. I’m paid to breach perimeter security. If you ain’t got MFA I’ll bet good money on getting in to the vast majority of organisations. All I need are creds, which is nothing more than a numbers game. Creds + MFA is a whole other game. It’s probably the easiest way to handle your dumb ass users picking Christmas123! as their password.

          1. Blackjack

            Re: Stale old creds...

            https://duckduckgo.com/?q=two+step+verification+text+sms

            https://arstechnica.com/tag/two-factor-authentication/

            Read and weep.

          2. Anonymous Coward
            Anonymous Coward

            Re: Stale old creds...

            SMS 2FA is in some ways the equivalent of 'security through obscurity'.

            Because yes, 'security through obscurity' actually works just fucking great for most people.

            Sure, it's of very little use to a targeted attack, but most people aren't subject to targetted attacks, instead it's just the random drive-by attacks, like the one in TFA.

            If your device is just that little bit out of the ordinary, say your ssh is on port 2222, you're going to be avoiding a lot of the random port scanning for vulnerabilities that might be a problem anyway.

  2. Blockchain commentard Silver badge
    Facepalm

    a six-month electronic curfew

    What's that then, not allowed to use computers at night time or having a baby monitor in his bedroom?

    1. macjules Silver badge

      Re: a six-month electronic curfew

      Wears a tag on his leg and must be at home by a certain time, or else he is in breach of his suspended sentence..

      Quite a lenient sentence for a fantasist; I wonder what he would have got had he been extradited to the USA and slung in the oubliette?

  3. Pascal Monett Silver badge

    How does this work ?

    Okay, I get that he didn't kill anyone, but he attempted blackmail on a grand scale. He threatened (baselessly as it turns out) tens of thousands of possible victims to extort money.

    Again, he didn't kill anyone, but that level of threat, to me, means he should have gone to prison for six months, not just have an electronic curfew.

    The sentence seems a bit light, in other words. I guess the judge found him to not be that much of a threat after all. Either that or he's setting the guy up for a major sentence next time around.

    1. Martin Summers Silver badge

      Re: How does this work ?

      I'd say he's setting him up for next time around. I'd rather not have the prisons full of guys like this who pose no danger to life and have not had a substantial impact on people's lives generally. If you put his crime against those of the utter knobs that crippled the NHS, that's all the perspective I need.

    2. mics39

      Re: How does this work ?

      Boris can always send him over to US.

    3. Oh Homer
      Big Brother

      Re: The sentence seems a bit light

      As part of a hacker group, my guess is he cut a deal to sell out his partners in crime.

      But even if Albayrak was a loner and his "group" was a mere fantasy, I'm sure the NCU won't treat it as such, because today's "everything is terrorism" paranoid approach to criminal investigation will ensure he becomes a permanent addition to their watchlist.

      Of course, in order for the NCU to have something to watch, useful or otherwise, Albayrak has to be cut loose.

      So in reality this sentence is more sinister than it first appears, although in fairness Albayrak only has himself to blame.

  4. Anonymous Coward
    Anonymous Coward

    Either he was a total n00b or there are known weaknesses in the iCloud

    For apple to have taken the demand seriously and spend 10s to 100s of K on this matter you cannot help to think that there is something fishy in the iCloud. Have we already forgotten what a little kiddie from Melbourne was able to do a few years ago.

    Why all of you want to send him to the chair anyway? Were there any threats of violence? Sure there was extortion, but we've seen what happen to hackers when you send them to Belmash.

    1. Anonymous Coward
      Anonymous Coward

      Re: Either he was a total n00b or there are known weaknesses in the iCloud

      This person strikes me as someone at the "a little knowledge is a dangerous thing" stage rather than a member of the hacking elite. It looks like he tried to bluff Apple without having the ability to deliver or to adequately mask his tracks.

      "For apple to have taken the demand seriously and spend 10s to 100s of K on this matter you cannot help to think that there is something fishy in the iCloud. Have we already forgotten what a little kiddie from Melbourne was able to do a few years ago."

      Whilst this is possible, there are some companies who will throw money way in excess of the value of a crime at going after someone just to send a message "Don't try this on us" for the deterrent effect. If your company gets a reputation as one not to mess with, the savings made by having to investigate less crimes and the increased customer confidence from showing you're on top of such things may be worth it. Other companies that have government contracts or that work in regulated industries may have no choice but to report an attempted crime and go after the perp.

    2. robidy Bronze badge

      Re: Either he was a total n00b or there are known weaknesses in the iCloud

      0 day exploits happen...and surprise companies...otherwise they wouldn't 0dayers.

      I have some sympathy with your second comment, sloppy systems are not just a fault of the criminal.

      Insurances companies don't pay out for buglaries when you leave the house unlocked for a reason. They also increase your premiums when you claim for items you lose/damage.

    3. Rob Daglish

      Re: Either he was a total n00b or there are known weaknesses in the iCloud

      >For apple to have taken the demand seriously and spend 10s to 100s of K on this matter you cannot >help to think that there is something fishy in the iCloud

      Yeah, but to play Devil's advocate, having had issues previously, isn't it better to have an investigation and get a third party (NCA) involved and say "we've found no issues on this occasion" rather than just cover up and go "nothing to see here guv"? What they spend on marketing would make this a drop in the ocean, and it would be better for them to be seen to doing something rather than ignoring a potential issue. Or maybe I'm just holding it wrong.

  5. Aussie Doc
    Holmes

    Goodness me.

    Spokes tout: But cyber-crime doesn't pay.

    Narrator's voice: But the punishment suggests that it can be a minor irritation for some thus may be worth the effort.

  6. vogon00

    Script Kiddie Plus

    Ok, 20 years old at time of offence, and the effort wasn't particularly difficult....so in my mind all he is is a Scrpt Kiddie. He gets the 'plus' elevation not for tech skills, but learning how to bluff with confidence.

    He's a knob, who has probably made himself unemployable in the I.T. industry, unless he does the 'poacher turned gamekeeper' and becomes a white-or-neutral hatted 'Security Researcher'.

    Please don't employ this total twonk in anything that requires a degree of trust or credability, it won't end well..

  7. ElectricPics

    Thick as a castle wall. No tangible risk other than the baseless threats. That said, this has similarities with blackmail attempts against food retailers which had no basis but caused immense disruption and cost.

  8. Anonymous Coward
    Anonymous Coward

    Boristan starts soon

    Expulsion becomes an option.

    Troll, yes, but who knows...

  9. edris90

    If I was inclined to hack Apple, instead of trying to blackmail them I would set them up to be embarrassed, reset the accounts wordlessly, and then do it again, post various secrets... Etc.

    All too temporarily drive down the market confidence in the company

    The idea is to predictably drive their stock down, and bet against them on the stock market in conjunction, to make that money.

    Then leave a trail for them to follow to re-secure their Network, bet in their favor on the stock market using the gains from the previous Gamble, when stock rises again In response to the press reports are they more secure than ever.

    Rinse and repeat.

    I know in stock market they tend to use other words to describe these processes but I'm not here to argue semantics. An investment it's just a gamble by another name. I identify operations Identify by functions, it makes it easier not to be tricked Into false distinguishment and ethical whitewashing through clever wording

    1. gnasher729 Silver badge

      Trying to exploit the stock market makes you visible, which makes you found, which gets you thrown in jail.

      Now he could have demanded 75 million instead of 75 thousand. Here the question is: What does this do to your life expectancy?

  10. Maximum Delfango
    Facepalm

    If you've got nothing to hide, you've got nothing to fear...

    ^ Let me get this piece of idiocy out there before someone else does.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020